Univention Bugzilla – Bug 43596
linux: Multiple security issues (ES 3.3)
Last modified: 2017-06-28 16:23:32 CEST
Upstream Debian Jessie Kernel 3.16.39-1+deb8u1 (unreleased) fixes a couple of issues: * perf: Fix event->ctx locking (CVE-2016-6786 CVE-2016-6787) * perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (CVE-2017-6001) * dccp: fix freeing skb too early for IPV6_RECVPKTINFO (CVE-2017-6074) * sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986) * perf: Do not double free (dependency of fix for CVE-2017-6001) * fbdev: color map copying bounds checking (CVE-2016-8405) * sysctl: Drop reference added by grab_header in proc_sys_readdir (CVE-2016-9191) * [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583) * [x86] KVM: Introduce segmented_write_std (CVE-2017-2584) * selinux: fix off-by-one in setprocattr (CVE-2017-2618) * USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549) * tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551) * ip6_gre: fix ip6gre_err() invalid reads (CVE-2017-5897) Upstream Debian Jessie Kernel 3.16.39-1 (released) fixes a couple of issues: * netlink: Fix dump skb leak/double free (CVE-2016-9806) * block: fix use-after-free in sys_ioprio_get() (CVE-2016-7911) * block: fix use-after-free in seq file (CVE-2016-7910) * [arm64] perf: reject groups spanning multiple HW PMUs (CVE-2015-8955) * firewire: net: guard against rx buffer overflows (CVE-2016-8633) * brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() (CVE-2016-8658) * vfio/pci: Fix integer overflows, bitmask check (CVE-2016-9083, CVE-2016-9084) * fs: Give dentry to inode_change_ok() instead of inode * fs: Avoid premature clearing of capabilities (CVE-2015-1350) * posix_acl: Clear SGID bit when setting file permissions (CVE-2016-7097) * sg: Fix double-free when drives detach during SG_IO (CVE-2015-8962) * perf: Fix race in swevent hash (CVE-2015-8963) * tty: Prevent ldisc drivers from re-using stale tty fields (CVE-2015-8964) * usb: gadget: f_fs: Fix use-after-free (CVE-2016-7912) * HID: core: prevent out-of-bound readings (CVE-2016-7915) * netfilter: nfnetlink: correctly validate length of batch messages (CVE-2016-7917) * net: ping: check minimum size on ICMP header length (CVE-2016-8399) * net: Add __sock_queue_rcv_skb() * rose,dccp: limit sk_filter trim to payload * tcp: take care of truncations done by sk_filter() (CVE-2016-8645) * mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (CVE-2016-8650) * packet: fix race condition in packet_set_ring (CVE-2016-8655) * [x86] Fix potential infoleak in older kernels (CVE-2016-9178) * sctp: validate chunk len before actually using it (CVE-2016-9555) * sg_write()/bsg_write() is not fit to be called under KERNEL_DS (CVE-2016-9576, CVE-2016-10088) * [x86] KVM: drop error recovery in em_jmp_far and em_ret_far (CVE-2016-9756) * net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (CVE-2016-9793) * ALSA: pcm : Call kill_fasync() in stream lock (CVE-2016-9794)
Upstream Debian Jessie Kernel 3.16.39-1+deb8u1 has been released with two additional issues fixed: * KVM leaks page references when emulating a VMON for a nested hypervisor. This can be used by a privileged user in a guest VM for denial of service or possibly to gain privileges in the host (CVE-2017-2596) * Denial-of-service flaw in the IPv4 networking code. This can be triggered by a local or remote attacker if a local UDP or raw socket has the IP_RETOPTS option (CVE-2017-5970)
repo_admin.py -U -p linux -r 3.3 -s errata3.3-1 -d wheezy-backports # 3.16.39-1+deb8u1~bpo70+1 Package: linux Version: 3.16.39-1~bpo70+1~ucs3.3.223.201703091448 Branch: ucs_3.3-0 Scope: errata3.3-1
r77592 | Bug #43596 linux: Copyright 2017 r77591 | Bug #43596 linux: Update to 3.16.39 Package: univention-kernel-image Version: 7.100.0-12.123.201703101620 Branch: ucs_3.3-0 Scope: errata3.3-1 r77595 | Bug #43596: linux-3.16.39 for errata 3.3-1 FYI: I didn't check what is already back-ported from <https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.41> and what not. QA: dmesg diff # diff 3.16.0-ucs2* 4c4 < Linux version 3.16.0-ucs216-amd64 (debian-kernel@lists.debian.org) (gcc version 4.7.2 (Debian 4.7.2-5~ucs3.3.12.201602191338) ) #1 SMP Debian 3.16.38-0.1~bpo70+1.216.201611212052 (2016-11-21) --- > Linux version 3.16.0-ucs223-amd64 (debian-kernel@lists.debian.org) (gcc version 4.7.2 (Debian 4.7.2-5~ucs3.3.12.201602191338) ) #1 SMP Debian 3.16.39-1~bpo70+1~ucs3.3.223.201703091448 (2017-03 302,303c302,306 < simple-framebuffer simple-framebuffer.0: framebuffer at 0xfc000000, 0x160000 bytes, mapped to 0xffffc90000200000 < simple-framebuffer simple-framebuffer.0: format=r8g8b8, mode=800x600x24, linelength=2400 --- > efifb: probing for efifb > efifb: framebuffer at 0xfc000000, mapped to 0xffffc90000200000, using 1408k, total 1408k > efifb: mode is 800x600x24, linelength=2400, pages=1 > efifb: scrolling: redraw > efifb: Truecolor: size=0:8:8:8, shift=0:16:8:0 305c308 < simple-framebuffer simple-framebuffer.0: fb0: simplefb registered! --- > fb0: EFI VGA frame buffer device See Bug #42754 comment 1 for the explnation why SYSFB was disabled.
The next 3.16.42 is scheduled for Wed 2017-03-15
3.16.42 fixes at least: CVE : upstream commit ======================================================= CVE-2017-5669: 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 CVE-2017-6348: 4c03b862b12f980456f9de92db6d508a4999b788 CVE-2017-2596: 06ce521af9558814b8606c0476c54497cf83a653 CVE-2017-6345: 8b74d439e1697110c5e5c600643e823eb1dd0762 CVE-2017-6346: d199fab63c11998a602205f7ee7ff7c05c97164b CVE-2017-6353: 2dcab598484185dea7ec22219c76dcdd59e3cb90 CVE-2017-6353: dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 CVE-2017-2636: 82f2341c94d270421f383641b7cd670e474db56b We should pick it up once it's released in jessie-security.
Upstream Debian Jessie Kernel 3.16.39-1+deb8u1 (unreleased) fixes a couple of additional issues: * arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest (CVE-2016-9588) * Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (CVE-2017-5986) * CVE-2017-2636 CVE-2017-5669 CVE-2017-6214 CVE-2017-6345 CVE-2017-6346 CVE-2017-6348 CVE-2017-6353 (see descriptions below) From the commit hashes mentioned in the git log of linux-stable branch linux-3.16.y tag v3.16.42 I guess at least these additional issues are fixed there: * fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts (CVE-2016-6213) * The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (CVE-2016-8632) * Race condition in the ion_ioctl function in drivers/staging/android/ion/ion.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) by calling ION_IOC_FREE on two CPUs at the same time (CVE-2016-9120) * arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest (CVE-2016-9588) * Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (CVE-2016-10200) * The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image (CVE-2016-10208) * Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (CVE-2017-2636) * The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (CVE-2017-5669) * The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (CVE-2017-6214) * The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (CVE-2017-6345) * Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls (CVE-2017-6346) * The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (CVE-2017-6348) * net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (CVE-2017-6353)
r17459 | Bug #43596 linux: 3.16.43 for errata-3.3.1 r17460 | Bug #43596 linux: 3.16.43 for errata-3.3.1 2 Package: linux Version: 3.16.39-1~bpo70+1~ucs3.3.225.201704150007 Branch: ucs_3.3-0 Scope: errata3.3-1 r78798 | Bug #43596 linux: Update to 3.16.43 Package: univention-kernel-image Version: 7.100.0-13.124.201704150020 Branch: ucs_3.3-0 Scope: errata3.3-1 r78799 | Bug #43596 linux: Update to 3.16.43 YAML
Tests (i386): OK Advisory: OK
<http://errata.software-univention.de/ucs/3.3/36.html> <http://errata.software-univention.de/ucs/3.3/37.html>